varenyky è un dangerous Trojanwith spyware functionalities which also operates as a spambot. Security researchers believe that the Varenyky spambot is currently under heavy development meaning that it is going to evolve. At the heart of theVarenyky spambot operationis sextortion. The Trojan is designed to steal passwords, and spy on victims’ screen via FFmpeg when they watch adult content.

varenykyalso communicates with its command and control server via Tor, and the spam that activates the operation is sent via email.

Sommario minaccia

Nome

varenyky

Tipo

Trojan, Spambot

breve descrizione

Varenyky is a Trojan and a spambot that is currently distributed via phishing and spam emails.

Varenyky Trojan and Spambot – Distribution Methods

According to WeLiveSecurity researchers, the Varenyky Trojan is currently targeting France, e più specificamente, the users of Orange S.A., a French ISP. The main distribution channel of the spambot is phishing emails. The researchers came across a spam campaign that redirected to a survey and a bogus smartphone promotion. Tuttavia, another campaign is relying on sextortion principles, and is spying on the victim’s screen while they are visiting adult websites.

One of the malicious documents that is distributing Varenyky is attached in an email states that a bill of €491.27 is available. Upon opening the supposed bill, the victim will be notified that the document is protected by Microsoft Word and needs human verification. In altre parole, the victim is prompted to enable macros.

It is curious to note that the macro detected in this Word document is using the functionApplication.LanguageSettings.LanguageID()to obtain the language ID of the victim’s computer.

"This ID contains the country and the language set by the user. The script checks if the value returned is 1036 in decimal (or 0x40C in hexadecimal) and according to the Microsoft documentation this value corresponds to France and the French language,” WeLiveSecurity researchers explained.

Varenyky Trojan – Technical Overview

Come già accennato, the Varenyky Trojan is currently targeting French victims via fake invoices in the form of Microsoft Word documents that prompt them to enable macros. When the potential victim opens the document and the macro is executed, the operation makes sure that the user is indeed French. If the victim is of other nationality, the malware operation ceases. If the French origin is confirmed, the malware will communicate with its command and control server to determine what components to download. Varenyky also installs a piece of software that steals passwords and spies on victims via FFmpeg when they are watching pornographic content online.

The Varenyky Trojan can also detect specific “trigger” keywords of sexual nature as well as websites (such as YouPorn, PornHub, and Brazzers. When any of these keywords is caught, the malware will record the computer’s screen via an FFmpeg executable. The recorded content is then sent to the command and control server. Ovviamente, the reason for recording the victim’s screen under these specific circumstances is sextortion and blackmail. It is also highly possible that Varenyky will be used in highly targeted campaigns.

Remove Varenyky Trojan

If your computer system got infected with the Varenyky Trojan, si dovrebbe avere un po 'di esperienza nella rimozione di malware. You should get rid of this Trojan as quickly as possible before it gets the chance to spread further and infect other computers. Consider removing the Trojan immediately, and follow the step-by-step instructions available below.